Vulnerabilities in KNIME-provided Jackson

miguelalba · April 1, 2021, 3:08pm

Hi all,

I am working on a small Java library that I used in some KNIME nodes and I used the same version of the Jackson libraries provided by the KNIME update site (2.8.9) and my KNIME target file is from 4.2 (https://update.knime.com/analytics-platform/4.2/). GitHub’s bot warned me of many vulnerabilities in jackson-databind 2.8.9, 25 according to Fasterxml Jackson-databind version 2.8.9 : Security vulnerabilities, and recommends me to use 2.9.10.7. Do you know if there is a newer version of this library in later KNIME releases or is it considered to upgrade in the future?

Thanks,
Miguel

NDekay · April 6, 2021, 2:38pm

Hello @miguelalba,

We recommend that you upgrade AP to 4.3.2 (latest) and then run updates/install latest extensions. Anecdotally, my installation of 4.3.2 has jackson-databind 2.11.0 listed as part of the installation.

Thank you,
Nickolaus

system · April 13, 2021, 2:38pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.